Private IndustryTakes Action Against Global Cyber Threats

In Operation Blockbuster, a Novetta-led coalition of private industry partners joined together to identify, understand, expose, and aid industry in degrading the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including the November 2014 Sony Pictures attack. Our story demonstrates private industry’s new role in ensuring the balance of global cyber defense.

Unraveling the Long Thread

The Sony Pictures attack broke new ground not only as a destructive malware attack on a US commercial entity but also because the US government attributed the attack to a nation-state. In Operation Blockbuster, what began as a hunt to find the truth behind the conflicting media outpouring on the Sony Pictures attack soon revealed an even broader, long-running and sophisticated group than previously reported.

The Backstory

In November, 2014, Sony was weeks away from releasing The Interview, a raucous comedy mocking North Korea and its leader. After receiving a series of suspicious threats from an unidentified group, Sony pulled the movie from theaters. The threats turned into action. Soon, the Sony executives found that private email correspondence had been hacked and made public. Celebrities became targets. Sony’s secrets were revealed.

The Lazarus Group

Novetta’s Operation Blockbuster team identified patterns in the malware used in the Sony Pictures attack. The code seemed to appear, fall dormant, then reappear again. This led Novetta to create the moniker “The Lazarus Group” to describe this well organized and well connected threat actor. Evidence showed the Lazarus Group’s malware has been active since at least 2009, linking the group to multiple publicly disclosed cyber attacks over a span of years. Unraveling the long thread revealed a much greater level of persistence and sophistication than had been previously reported.

Infrastructure & Tactics

Evidence shows that the Lazarus Group’s tactics included DDoS and destructive malware attacks, pop-up hacktivist groups to mislead and divert focus, along with spear phishing docs, use of malicious worms and spreaders, and more. The Operation Blockbuster reports lays out the details of the Lazarus Group’s TTPs. We’ve also expanded our findings in even greater details in a collection of summary reports. Take a deep dive into the technical information in our Resources section.

What We Accomplished

The Operation Blockbuster team identified more than 45 malware families attributed to the Lazarus Group’s operations over a period of at least 7 years. These malware variants have been under active development since at least 2009. Working as a united coalition, industry partners worked together to bring to light this threat group as well as mitigate identified malicious tools. We have pushed AV, IDS, and YARA signatures to identify associated Lazarus Group tools and traffic.

Operation Blockbuster Contributors

Operation Blockbuster was spearheaded by Novetta’s Threat Research and Interdiction Group (TRIG), working in close partnership with a group of trusted experts from cybersecurity, antivirus and malware protection, intelligence and research firms. The cross-industry partnership and the scope of the operation’s reach signify a new security role and posture for private industry. The Lazarus Group activity shows the cyber landscape has evolved. The Novetta-led team demonstrates industry can be a highly agile, capable and effective force in tracking and interdicting global cyber crime. Meet the Operation Blockbuster contributors.